error 2 at 1 depth lookup:unable to get issuer certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by phoenix »

fosiul@gmail.com wrote:Thanks, let me speak with them, see if they provide me root certificate

I will come back soon.
Spoke with Vendor, they said, They dont provide Root certificate and thats only valid for Web server .

So i guess i will have to buy new SSL certificate .

..[/quote]Have you looked at using a Letsencrypt certificate for your ZCS server? JDunphy has written a great write-up in the wiki and there's also a sticky thread in this forum on that topic.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

Hi
I have one question.

if i buy a new SSL certificate from comodo which is for mail.ourdomain.com

will it cover all ssl functionality for Zimbra service ? or do i need to buy a Wildcard certificate ?

Please advise

Thanks
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by fosiul@gmail.com »

Have you looked at using a Letsencrypt certificate for your ZCS server? JDunphy has written a great write-up in the wiki and there's also a sticky thread in this forum on that topic.
Hi, you meant "https://letsencrypt.org/"

I did not!! let me have a look aswell!!

Thanks for the advise
gvargas99
Posts: 3
Joined: Sat Dec 08, 2018 7:58 pm

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by gvargas99 »

[Solved]
I had the same issue with the 1and1 certificate, I have working now. these are the steps:
1. You need to convert the .cer certificate into a .crt certificate. You need to do this for both files (certificate and intermediate)
penssl x509 -inform PEM -in certificate.cer -out certificate.crt
penssl x509 -inform PEM -in intercertificate.cer -out intercertificate.crt
2. Create the bundle cert by merging both
cat certificate.crt intercertificate.crt >>bundle_cert.crt

3. This is the key part - You need to move the key and the bundle to the nginx directory and rename them. (This is how I got it working)
copy both files to /opt/zimbra/conf
make a backup of nginx.crt and nginx.key
rename yourkey.key to nginx.key . and bundle_cert.crt to nginx.crt

4. Restart the proxy
zmproxyctl restart


Done.
apoeti
Posts: 2
Joined: Tue Sep 25, 2018 11:56 am

Re: error 2 at 1 depth lookup:unable to get issuer certificate

Post by apoeti »

Hello I had the same error, I solve it using this guide
Single-Node Wildcard Commercial Certificate

Using a Wildcard Certificate, you will need the next files, because you probably generated the CSR in other server:
The .key file which you generated the CSR.
The .crt file that you SSL provide to you.
The CA Intermediate and the root files merged into one only file, called for example ca_chain.crt

1.- Backup your actual .key file located in /opt/zimbra/ssl/zimbra/commercial/commercial.key:
mv /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key.backup

2.- Move your actual .key file into the path /opt/zimbra/ssl/zimbra/commercial/ with the name commercial.key:
mv /tmp/wildcard.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

3.- Verify all the files before deploy the SSL certificate with the next command:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/wildcard.crt /tmp/ca_chain.crt
Attention!!!(Paste at the end of the /tmp/wildcard.crt file the root certificate from --- BEGIN --- A --- END ---)

4.- Then as user root (or zimbra for 8.7+) run the next command, please be sure to use the proper path instead /tmp:
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/wildcard.crt /tmp/ca_chain.crt

5.- Restart your Zimbra Collaboration server as Zimbra user:
zmcontrol restart

6.- To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Regards.
Post Reply